Data Processing Agreement
Last updated: June 23, 2026 · Version 1.0
Provided in English. To execute a signed copy, contact [email protected].
This Data Processing Agreement ("DPA") supplements and forms part of the agreement ("Agreement") between WardenPoint, operated by ФОП Дикий Денис Олександрович (sole proprietor, Ukraine; tax ID РНОКПП/ІПН 3573103216; data-protection contact [email protected]) — the "Processor" — and the customer that accepts this DPA (the "Customer", the "Controller"). It governs the processing of personal data by WardenPoint on the Customer's behalf when the Customer uses the WardenPoint incident-alerting service (the "Service"). On data-protection matters, this DPA prevails over the Agreement.
1. Roles
The Customer is the controller of the personal data it submits (its responders/recipients and the content of its alerts). WardenPoint is the processor, acting only on the Customer's documented instructions. WardenPoint is an independent controller for its own account, billing and security-log data.
2. Scope, duration & purpose
Subject matter: delivery and escalation of the Customer's incident alerts across configured channels, and the related audit log. Duration: the term of the Agreement plus the deletion period in §8. Nature & purpose: routing, dispatching, retrying, escalating and logging notifications to the Customer's chosen recipients.
3. Personal data & data subjects
Data subjects: the Customer's responders/recipients and its own users. Personal data: recipient name/identifier; contact endpoints (phone, email, Telegram/WhatsApp/Viber/Slack/Teams handle or ID); on-call schedule data; acknowledgement events; IP address and request metadata in the audit log; and any personal data the Customer includes in alert payloads. The Service does not request special-category (GDPR Art. 9) data; the Customer must not place such data into alert payloads.
4. Processor obligations (GDPR Art. 28(3))
WardenPoint shall process personal data only on the Customer's documented instructions; bind authorised persons to confidentiality; implement the security measures in §6; respect the sub-processor conditions in §7; assist the Customer with data-subject requests and with Art. 32–36 obligations; delete or return the data after the end of services (§8); and make available the information necessary to demonstrate compliance and support audits (§10).
5. Personal-data breach
WardenPoint will notify the Customer without undue delay, and no later than 72 hours, after becoming aware of a personal-data breach affecting the Customer's data, with the information then available. Report concerns to [email protected].
6. Security measures (GDPR Art. 32)
- TLS for all API and dashboard traffic (data in transit).
- Sensitive secrets and integration credentials are encrypted at rest at the application level.
- UUID-only public identifiers; internal IDs are never exposed.
- Per-tenant isolation on every authenticated route; scoped API keys; CSRF-protected session auth.
- Bounded, configurable retention; an append-only audit log with a stable schema.
- We hold no ISO 27001, SOC 2, HIPAA, PCI-DSS or FedRAMP certification, and channel content is not end-to-end encrypted.
7. Sub-processors
The Customer gives general authorisation for WardenPoint to engage the sub-processors below, under data-protection terms no less protective than this DPA. Voice calls are placed by WardenPoint's own self-hosted telephony (Asterisk) and email is sent from our own mail server — neither is a third party. We give at least 30 days' notice of any addition or replacement, and you may object on reasonable data-protection grounds.
| Sub-processor | Purpose |
|---|---|
| Telegram (Telegram Messenger Inc.) | Telegram text / voice message / VoIP call delivery |
| Zadarma | SMS delivery and PSTN phone calls (carrier) |
| Meta (WhatsApp) | WhatsApp template delivery — only if you enable WhatsApp |
| Rakuten (Viber) | Viber delivery — only if you enable Viber |
| Universal Bank (MonoPay) | Payment processing (billing data only) |
| PayPro Global | Payment processing as Merchant of Record (billing data only) |
| Hostinger (Hostinger International Ltd) | Application & database hosting — EU/EEA (Lithuania); also runs our self-hosted mail server |
8. Return & deletion
On termination, or on the Customer's written request, WardenPoint deletes or returns the Customer's personal data and deletes remaining copies within 30 days, except data required to be retained by law. The audit log is deleted on the same schedule, subject to the configured retention window.
9. International transfers
Customer data is stored on infrastructure located in the EU/EEA (Hostinger, Lithuania), so EU/EEA personal data stays within the EEA. WardenPoint is operated from Ukraine (no EU adequacy decision at the date of this DPA); for operator access, and for any sub-processor outside an adequate jurisdiction, the parties rely on the EU Standard Contractual Clauses (Decision 2021/914) and the UK IDTA for UK data, together with a transfer impact assessment.
10. Audits
WardenPoint will make compliance information available on request and, no more than once per 12 months (or after a breach), support a remote audit or security questionnaire.
11. Customer responsibilities
The Customer is responsible for the lawfulness of the data it submits; having a legal basis and any required consent to contact recipients by phone call, SMS or messenger; not placing special-category data into alert payloads; and keeping recipient data accurate.
12. Contact
For this DPA or to execute a signed copy, contact [email protected]. Processor: ФОП Дикий Денис Олександрович, Ukraine.